protobufjs Arbitrary Code Execution Vulnerability

A vulnerability in protobufjs versions prior to 8.0.1 and 7.5.5 allows attackers to inject arbitrary code into the 'type' fields of protobuf definitions. This injected code is executed during the decoding of objects using those definitions, leading to remote code execution. The vulnerability arises because the library does not properly validate the type names, allowing malicious code to be executed in the context of the application.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the vulnerable protobufjs library is used.

Reproduction

To reproduce this vulnerability, create a protobuf definition that includes malicious code in the 'type' fields. This can be done by crafting a JSON descriptor that injects JavaScript code, such as a function that executes a system command. Once the malicious descriptor is created, it can be decoded using the vulnerable protobufjs library, which will execute the injected code.

Remediation

Users can upgrade to protobufjs versions 8.0.1 or 7.5.5, both of which address this vulnerability by filtering out invalid characters from type names, preventing the injection of arbitrary code.